Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
2.9MB
-
MD5
f45da90410f7d099ab3bd1589a039a79
-
SHA1
a7effa8c1fc9b88eea3498ed50011d7a14a7e617
-
SHA256
4fb84272045fc39952401061f10a2ba439d2f2a7c6e30f2448b757caf731df19
-
SHA512
577ae3d2c9f46c57ba71a9437fdf47deac865605b31f0a0a2a2caef90a4346bfa12c0894fe9c3a8dc7a602516bde33d58d483a8c5547452397f15a824c07a864
-
SSDEEP
49152:LcjBVZDZYhTklsZHUwGemMSwvMGKuFk2PGHqv:aBVZD+NklXwG5Mf73eTHqv
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://shineugler.biz/api
Extracted
cryptbot
Extracted
lumma
https://drive-connect.cyou/api
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF eb6b10053c.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cc13164a6a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eb6b10053c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eacc350289.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 12da2716b5.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cc13164a6a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cc13164a6a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 12da2716b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eacc350289.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 12da2716b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eb6b10053c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eb6b10053c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eacc350289.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk c5e6IAk1YYC622ma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk vhVr86ldP8nozMj8.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk kfRftPzvF6qnINJ5.exe -
Executes dropped EXE 57 IoCs
pid Process 2704 skotes.exe 2300 ShtrayEasy35.exe 2836 c5e6IAk1YYC622ma.exe 1844 vhVr86ldP8nozMj8.exe 2120 kfRftPzvF6qnINJ5.exe 1800 vSBjZWpz4nUm7UVJ.exe 624 hmBbyYiqCM2q0ebj.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2052 3JnPC5YdbTFoDSOs.exe 832 ZBplcaLXUbzfeahQ.exe 1524 2lwWp8foHX5kCwCy.exe 1484 BBnlFLaaqRdtB6N8.exe 1256 fV1WAeEhVtOcXTfV.exe 3028 PBilPcCkJVAVm3QM.exe 2480 IQ7ux2z.exe 2304 GxGoSELtbIIy4VCb.exe 1560 5zr7lNyArZ1m8KAK.exe 2364 bOfraM05bQRLNEFb.exe 316 hecAqiNeBGDd9flg.exe 2540 FGX6OC7QoGeBMz3s.exe 2872 cd11nXrZKXs92U8A.exe 1896 IOJmBDWVQd20lJah.exe 1508 60a26bb0cf.exe 1704 Ss4z6OY36zAJlbzl.exe 1416 70b999910a.exe 2488 sUSFJjY.exe 408 Dnwlsl6ER5VKXLd4.exe 2024 qMEX29bJmmBgiw5L.exe 1528 qHJPLTaCPRUIUetf.exe 2664 3ZTexTyHVnmq1bmg.exe 2028 70b999910a.exe 2156 4vyufNaRcmaJ057F.exe 1140 cc13164a6a.exe 1836 xlJoDOsleYTwQQj7.exe 3000 7z.exe 292 7z.exe 2216 7z.exe 1816 eb6b10053c.exe 2504 iFnvNQ2sKlyT1DWY.exe 2384 1K0U9pdfSBX8UXWW.exe 2864 7z.exe 2180 7z.exe 3000 0bcc3dd70d.exe 1660 7z.exe 2420 gN0JWd2gNcTz8iZz.exe 2440 i4wRFC7oElpLq0z3.exe 2408 7z.exe 3020 7z.exe 1840 EftcuEppJPcHM9wX.exe 2096 in.exe 348 eacc350289.exe 3176 rFwpYb6A4Kc3v6CZ.exe 3148 sLXcgNfpfWo33YcB.exe 3236 12da2716b5.exe 3280 Td5y6ZnVvEU3cORl.exe 3324 rVa4FaBNNyfSy73S.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine cc13164a6a.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine eb6b10053c.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine eacc350289.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 12da2716b5.exe -
Loads dropped DLL 64 IoCs
pid Process 2520 file.exe 2520 file.exe 2704 skotes.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2836 c5e6IAk1YYC622ma.exe 1844 vhVr86ldP8nozMj8.exe 2120 kfRftPzvF6qnINJ5.exe 2704 skotes.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2328 WerFault.exe 2328 WerFault.exe 2328 WerFault.exe 1140 WerFault.exe 1140 WerFault.exe 1140 WerFault.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 1140 WerFault.exe 2328 WerFault.exe 2704 skotes.exe 2300 ShtrayEasy35.exe 2704 skotes.exe 2704 skotes.exe 2704 skotes.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 2300 ShtrayEasy35.exe 1416 70b999910a.exe 2300 ShtrayEasy35.exe 2704 skotes.exe 2300 ShtrayEasy35.exe 2704 skotes.exe 2944 cmd.exe 3000 7z.exe 2944 cmd.exe 292 7z.exe 2944 cmd.exe 2300 ShtrayEasy35.exe 2704 skotes.exe 2300 ShtrayEasy35.exe 2216 7z.exe 2944 cmd.exe 2864 7z.exe 2944 cmd.exe 2180 7z.exe 2704 skotes.exe 2704 skotes.exe 2944 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zgr3xA3f\\c5e6IAk1YYC622ma.exe" c5e6IAk1YYC622ma.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\12da2716b5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015786001\\12da2716b5.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000500000001a4f9-519.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2520 file.exe 2704 skotes.exe 1140 cc13164a6a.exe 1816 eb6b10053c.exe 348 eacc350289.exe 3236 12da2716b5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1416 set thread context of 2028 1416 70b999910a.exe 66 -
resource yara_rule behavioral1/memory/2096-449-0x000000013FAE0000-0x000000013FF70000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1140 1560 WerFault.exe 48 2328 2304 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfRftPzvF6qnINJ5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IQ7ux2z.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GxGoSELtbIIy4VCb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70b999910a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eacc350289.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb6b10053c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5e6IAk1YYC622ma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhVr86ldP8nozMj8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70b999910a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12da2716b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60a26bb0cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5zr7lNyArZ1m8KAK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ShtrayEasy35.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2576 powershell.exe 3384 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3384 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2520 file.exe 2704 skotes.exe 2300 ShtrayEasy35.exe 2836 c5e6IAk1YYC622ma.exe 1844 vhVr86ldP8nozMj8.exe 1844 vhVr86ldP8nozMj8.exe 1844 vhVr86ldP8nozMj8.exe 2120 kfRftPzvF6qnINJ5.exe 2120 kfRftPzvF6qnINJ5.exe 2120 kfRftPzvF6qnINJ5.exe 2120 kfRftPzvF6qnINJ5.exe 2120 kfRftPzvF6qnINJ5.exe 2120 kfRftPzvF6qnINJ5.exe 2120 kfRftPzvF6qnINJ5.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 1800 vSBjZWpz4nUm7UVJ.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 624 hmBbyYiqCM2q0ebj.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 700 qxbq775G5qvDm5lc.exe 2084 LDW2tcFgjRY2mKFS.exe 1524 2lwWp8foHX5kCwCy.exe 1524 2lwWp8foHX5kCwCy.exe 1524 2lwWp8foHX5kCwCy.exe 1524 2lwWp8foHX5kCwCy.exe 1524 2lwWp8foHX5kCwCy.exe 1524 2lwWp8foHX5kCwCy.exe 1524 2lwWp8foHX5kCwCy.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeRestorePrivilege 3000 7z.exe Token: 35 3000 7z.exe Token: SeSecurityPrivilege 3000 7z.exe Token: SeSecurityPrivilege 3000 7z.exe Token: SeDebugPrivilege 2480 IQ7ux2z.exe Token: SeRestorePrivilege 292 7z.exe Token: 35 292 7z.exe Token: SeSecurityPrivilege 292 7z.exe Token: SeSecurityPrivilege 292 7z.exe Token: SeRestorePrivilege 2216 7z.exe Token: 35 2216 7z.exe Token: SeSecurityPrivilege 2216 7z.exe Token: SeSecurityPrivilege 2216 7z.exe Token: SeRestorePrivilege 2864 7z.exe Token: 35 2864 7z.exe Token: SeSecurityPrivilege 2864 7z.exe Token: SeSecurityPrivilege 2864 7z.exe Token: SeRestorePrivilege 2180 7z.exe Token: 35 2180 7z.exe Token: SeSecurityPrivilege 2180 7z.exe Token: SeSecurityPrivilege 2180 7z.exe Token: SeRestorePrivilege 1660 7z.exe Token: 35 1660 7z.exe Token: SeSecurityPrivilege 1660 7z.exe Token: SeSecurityPrivilege 1660 7z.exe Token: SeRestorePrivilege 2408 7z.exe Token: 35 2408 7z.exe Token: SeSecurityPrivilege 2408 7z.exe Token: SeSecurityPrivilege 2408 7z.exe Token: SeRestorePrivilege 3020 7z.exe Token: 35 3020 7z.exe Token: SeSecurityPrivilege 3020 7z.exe Token: SeSecurityPrivilege 3020 7z.exe Token: SeDebugPrivilege 2576 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2520 file.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2704 2520 file.exe 30 PID 2520 wrote to memory of 2704 2520 file.exe 30 PID 2520 wrote to memory of 2704 2520 file.exe 30 PID 2520 wrote to memory of 2704 2520 file.exe 30 PID 2704 wrote to memory of 2300 2704 skotes.exe 32 PID 2704 wrote to memory of 2300 2704 skotes.exe 32 PID 2704 wrote to memory of 2300 2704 skotes.exe 32 PID 2704 wrote to memory of 2300 2704 skotes.exe 32 PID 2300 wrote to memory of 2836 2300 ShtrayEasy35.exe 33 PID 2300 wrote to memory of 2836 2300 ShtrayEasy35.exe 33 PID 2300 wrote to memory of 2836 2300 ShtrayEasy35.exe 33 PID 2300 wrote to memory of 2836 2300 ShtrayEasy35.exe 33 PID 2300 wrote to memory of 1844 2300 ShtrayEasy35.exe 34 PID 2300 wrote to memory of 1844 2300 ShtrayEasy35.exe 34 PID 2300 wrote to memory of 1844 2300 ShtrayEasy35.exe 34 PID 2300 wrote to memory of 1844 2300 ShtrayEasy35.exe 34 PID 2300 wrote to memory of 2120 2300 ShtrayEasy35.exe 35 PID 2300 wrote to memory of 2120 2300 ShtrayEasy35.exe 35 PID 2300 wrote to memory of 2120 2300 ShtrayEasy35.exe 35 PID 2300 wrote to memory of 2120 2300 ShtrayEasy35.exe 35 PID 2300 wrote to memory of 624 2300 ShtrayEasy35.exe 36 PID 2300 wrote to memory of 624 2300 ShtrayEasy35.exe 36 PID 2300 wrote to memory of 624 2300 ShtrayEasy35.exe 36 PID 2300 wrote to memory of 624 2300 ShtrayEasy35.exe 36 PID 2300 wrote to memory of 1800 2300 ShtrayEasy35.exe 37 PID 2300 wrote to memory of 1800 2300 ShtrayEasy35.exe 37 PID 2300 wrote to memory of 1800 2300 ShtrayEasy35.exe 37 PID 2300 wrote to memory of 1800 2300 ShtrayEasy35.exe 37 PID 2300 wrote to memory of 2084 2300 ShtrayEasy35.exe 38 PID 2300 wrote to memory of 2084 2300 ShtrayEasy35.exe 38 PID 2300 wrote to memory of 2084 2300 ShtrayEasy35.exe 38 PID 2300 wrote to memory of 2084 2300 ShtrayEasy35.exe 38 PID 2300 wrote to memory of 700 2300 ShtrayEasy35.exe 39 PID 2300 wrote to memory of 700 2300 ShtrayEasy35.exe 39 PID 2300 wrote to memory of 700 2300 ShtrayEasy35.exe 39 PID 2300 wrote to memory of 700 2300 ShtrayEasy35.exe 39 PID 2300 wrote to memory of 1484 2300 ShtrayEasy35.exe 40 PID 2300 wrote to memory of 1484 2300 ShtrayEasy35.exe 40 PID 2300 wrote to memory of 1484 2300 ShtrayEasy35.exe 40 PID 2300 wrote to memory of 1484 2300 ShtrayEasy35.exe 40 PID 2300 wrote to memory of 2052 2300 ShtrayEasy35.exe 41 PID 2300 wrote to memory of 2052 2300 ShtrayEasy35.exe 41 PID 2300 wrote to memory of 2052 2300 ShtrayEasy35.exe 41 PID 2300 wrote to memory of 2052 2300 ShtrayEasy35.exe 41 PID 2300 wrote to memory of 1256 2300 ShtrayEasy35.exe 42 PID 2300 wrote to memory of 1256 2300 ShtrayEasy35.exe 42 PID 2300 wrote to memory of 1256 2300 ShtrayEasy35.exe 42 PID 2300 wrote to memory of 1256 2300 ShtrayEasy35.exe 42 PID 2300 wrote to memory of 832 2300 ShtrayEasy35.exe 43 PID 2300 wrote to memory of 832 2300 ShtrayEasy35.exe 43 PID 2300 wrote to memory of 832 2300 ShtrayEasy35.exe 43 PID 2300 wrote to memory of 832 2300 ShtrayEasy35.exe 43 PID 2300 wrote to memory of 3028 2300 ShtrayEasy35.exe 44 PID 2300 wrote to memory of 3028 2300 ShtrayEasy35.exe 44 PID 2300 wrote to memory of 3028 2300 ShtrayEasy35.exe 44 PID 2300 wrote to memory of 3028 2300 ShtrayEasy35.exe 44 PID 2300 wrote to memory of 1524 2300 ShtrayEasy35.exe 45 PID 2300 wrote to memory of 1524 2300 ShtrayEasy35.exe 45 PID 2300 wrote to memory of 1524 2300 ShtrayEasy35.exe 45 PID 2300 wrote to memory of 1524 2300 ShtrayEasy35.exe 45 PID 2704 wrote to memory of 2480 2704 skotes.exe 46 PID 2704 wrote to memory of 2480 2704 skotes.exe 46 PID 2704 wrote to memory of 2480 2704 skotes.exe 46 PID 2704 wrote to memory of 2480 2704 skotes.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2152 attrib.exe 2788 attrib.exe 2448 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\zgr3xA3f\c5e6IAk1YYC622ma.exeC:\Users\Admin\AppData\Local\Temp\zgr3xA3f\c5e6IAk1YYC622ma.exe 23004⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\vhVr86ldP8nozMj8.exeC:\Users\Admin\AppData\Local\Temp\1015564001\vhVr86ldP8nozMj8.exe 23004⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\kfRftPzvF6qnINJ5.exeC:\Users\Admin\AppData\Local\Temp\1015564001\kfRftPzvF6qnINJ5.exe 23004⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\hmBbyYiqCM2q0ebj.exeC:\Users\Admin\AppData\Local\Temp\1015564001\hmBbyYiqCM2q0ebj.exe 23004⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\vSBjZWpz4nUm7UVJ.exeC:\Users\Admin\AppData\Local\Temp\1015564001\vSBjZWpz4nUm7UVJ.exe 23004⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\LDW2tcFgjRY2mKFS.exeC:\Users\Admin\AppData\Local\Temp\1015564001\LDW2tcFgjRY2mKFS.exe 23004⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\qxbq775G5qvDm5lc.exeC:\Users\Admin\AppData\Local\Temp\1015564001\qxbq775G5qvDm5lc.exe 23004⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\BBnlFLaaqRdtB6N8.exeC:\Users\Admin\AppData\Local\Temp\1015564001\BBnlFLaaqRdtB6N8.exe 23004⤵
- Executes dropped EXE
PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\3JnPC5YdbTFoDSOs.exeC:\Users\Admin\AppData\Local\Temp\1015564001\3JnPC5YdbTFoDSOs.exe 23004⤵
- Executes dropped EXE
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\fV1WAeEhVtOcXTfV.exeC:\Users\Admin\AppData\Local\Temp\1015564001\fV1WAeEhVtOcXTfV.exe 23004⤵
- Executes dropped EXE
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\ZBplcaLXUbzfeahQ.exeC:\Users\Admin\AppData\Local\Temp\1015564001\ZBplcaLXUbzfeahQ.exe 23004⤵
- Executes dropped EXE
PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\PBilPcCkJVAVm3QM.exeC:\Users\Admin\AppData\Local\Temp\1015564001\PBilPcCkJVAVm3QM.exe 23004⤵
- Executes dropped EXE
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\2lwWp8foHX5kCwCy.exeC:\Users\Admin\AppData\Local\Temp\1015564001\2lwWp8foHX5kCwCy.exe 23004⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\GxGoSELtbIIy4VCb.exeC:\Users\Admin\AppData\Local\Temp\1015564001\GxGoSELtbIIy4VCb.exe 23004⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 2085⤵
- Loads dropped DLL
- Program crash
PID:2328
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\5zr7lNyArZ1m8KAK.exeC:\Users\Admin\AppData\Local\Temp\1015564001\5zr7lNyArZ1m8KAK.exe 23004⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 2085⤵
- Loads dropped DLL
- Program crash
PID:1140
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\FGX6OC7QoGeBMz3s.exeC:\Users\Admin\AppData\Local\Temp\1015564001\FGX6OC7QoGeBMz3s.exe 23004⤵
- Executes dropped EXE
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\bOfraM05bQRLNEFb.exeC:\Users\Admin\AppData\Local\Temp\1015564001\bOfraM05bQRLNEFb.exe 23004⤵
- Executes dropped EXE
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\cd11nXrZKXs92U8A.exeC:\Users\Admin\AppData\Local\Temp\1015564001\cd11nXrZKXs92U8A.exe 23004⤵
- Executes dropped EXE
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\hecAqiNeBGDd9flg.exeC:\Users\Admin\AppData\Local\Temp\1015564001\hecAqiNeBGDd9flg.exe 23004⤵
- Executes dropped EXE
PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\IOJmBDWVQd20lJah.exeC:\Users\Admin\AppData\Local\Temp\1015564001\IOJmBDWVQd20lJah.exe 23004⤵
- Executes dropped EXE
PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\Ss4z6OY36zAJlbzl.exeC:\Users\Admin\AppData\Local\Temp\1015564001\Ss4z6OY36zAJlbzl.exe 23004⤵
- Executes dropped EXE
PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\qMEX29bJmmBgiw5L.exeC:\Users\Admin\AppData\Local\Temp\1015564001\qMEX29bJmmBgiw5L.exe 23004⤵
- Executes dropped EXE
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\Dnwlsl6ER5VKXLd4.exeC:\Users\Admin\AppData\Local\Temp\1015564001\Dnwlsl6ER5VKXLd4.exe 23004⤵
- Executes dropped EXE
PID:408
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\qHJPLTaCPRUIUetf.exeC:\Users\Admin\AppData\Local\Temp\1015564001\qHJPLTaCPRUIUetf.exe 23004⤵
- Executes dropped EXE
PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\3ZTexTyHVnmq1bmg.exeC:\Users\Admin\AppData\Local\Temp\1015564001\3ZTexTyHVnmq1bmg.exe 23004⤵
- Executes dropped EXE
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\4vyufNaRcmaJ057F.exeC:\Users\Admin\AppData\Local\Temp\1015564001\4vyufNaRcmaJ057F.exe 23004⤵
- Executes dropped EXE
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\xlJoDOsleYTwQQj7.exeC:\Users\Admin\AppData\Local\Temp\1015564001\xlJoDOsleYTwQQj7.exe 23004⤵
- Executes dropped EXE
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\iFnvNQ2sKlyT1DWY.exeC:\Users\Admin\AppData\Local\Temp\1015564001\iFnvNQ2sKlyT1DWY.exe 23004⤵
- Executes dropped EXE
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\1K0U9pdfSBX8UXWW.exeC:\Users\Admin\AppData\Local\Temp\1015564001\1K0U9pdfSBX8UXWW.exe 23004⤵
- Executes dropped EXE
PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\gN0JWd2gNcTz8iZz.exeC:\Users\Admin\AppData\Local\Temp\1015564001\gN0JWd2gNcTz8iZz.exe 23004⤵
- Executes dropped EXE
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\i4wRFC7oElpLq0z3.exeC:\Users\Admin\AppData\Local\Temp\1015564001\i4wRFC7oElpLq0z3.exe 23004⤵
- Executes dropped EXE
PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\EftcuEppJPcHM9wX.exeC:\Users\Admin\AppData\Local\Temp\1015564001\EftcuEppJPcHM9wX.exe 23004⤵
- Executes dropped EXE
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\sLXcgNfpfWo33YcB.exeC:\Users\Admin\AppData\Local\Temp\1015564001\sLXcgNfpfWo33YcB.exe 23004⤵
- Executes dropped EXE
PID:3148
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\rFwpYb6A4Kc3v6CZ.exeC:\Users\Admin\AppData\Local\Temp\1015564001\rFwpYb6A4Kc3v6CZ.exe 23004⤵
- Executes dropped EXE
PID:3176
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\Td5y6ZnVvEU3cORl.exeC:\Users\Admin\AppData\Local\Temp\1015564001\Td5y6ZnVvEU3cORl.exe 23004⤵
- Executes dropped EXE
PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\rVa4FaBNNyfSy73S.exeC:\Users\Admin\AppData\Local\Temp\1015564001\rVa4FaBNNyfSy73S.exe 23004⤵
- Executes dropped EXE
PID:3324
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\o37ltC79qr3QGnzT.exeC:\Users\Admin\AppData\Local\Temp\1015564001\o37ltC79qr3QGnzT.exe 23004⤵PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\PvjAQvJAbnLOF05E.exeC:\Users\Admin\AppData\Local\Temp\1015564001\PvjAQvJAbnLOF05E.exe 23004⤵PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\RdGEvkectNMuk8HV.exeC:\Users\Admin\AppData\Local\Temp\1015564001\RdGEvkectNMuk8HV.exe 23004⤵PID:3852
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\cJdhy1M84rYdKU6P.exeC:\Users\Admin\AppData\Local\Temp\1015564001\cJdhy1M84rYdKU6P.exe 23004⤵PID:3952
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\XESM3rIY79Wdk9QV.exeC:\Users\Admin\AppData\Local\Temp\1015564001\XESM3rIY79Wdk9QV.exe 23004⤵PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\CxEBjZhCtJqMOclA.exeC:\Users\Admin\AppData\Local\Temp\1015564001\CxEBjZhCtJqMOclA.exe 23004⤵PID:5640
-
-
C:\Users\Admin\AppData\Local\Temp\1015564001\rmfpvhZjHakolUpz.exeC:\Users\Admin\AppData\Local\Temp\1015564001\rmfpvhZjHakolUpz.exe 23004⤵PID:6408
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\1015775001\60a26bb0cf.exe"C:\Users\Admin\AppData\Local\Temp\1015775001\60a26bb0cf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
PID:2944 -
C:\Windows\system32\mode.commode 65,105⤵PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:292
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:2448
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:2788
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3384
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015776001\70b999910a.exe"C:\Users\Admin\AppData\Local\Temp\1015776001\70b999910a.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\1015776001\70b999910a.exe"C:\Users\Admin\AppData\Local\Temp\1015776001\70b999910a.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"3⤵
- Executes dropped EXE
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\1015782001\cc13164a6a.exe"C:\Users\Admin\AppData\Local\Temp\1015782001\cc13164a6a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\1015783001\eb6b10053c.exe"C:\Users\Admin\AppData\Local\Temp\1015783001\eb6b10053c.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\1015784001\0bcc3dd70d.exe"C:\Users\Admin\AppData\Local\Temp\1015784001\0bcc3dd70d.exe"3⤵
- Executes dropped EXE
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\1015785001\eacc350289.exe"C:\Users\Admin\AppData\Local\Temp\1015785001\eacc350289.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:348
-
-
C:\Users\Admin\AppData\Local\Temp\1015786001\12da2716b5.exe"C:\Users\Admin\AppData\Local\Temp\1015786001\12da2716b5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\1015787001\6c57bbbefc.exe"C:\Users\Admin\AppData\Local\Temp\1015787001\6c57bbbefc.exe"3⤵PID:3712
-
-
C:\Users\Admin\AppData\Local\Temp\1015788001\31492f7608.exe"C:\Users\Admin\AppData\Local\Temp\1015788001\31492f7608.exe"3⤵PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\1015789001\e1a7e24a01.exe"C:\Users\Admin\AppData\Local\Temp\1015789001\e1a7e24a01.exe"3⤵PID:3156
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-472776916393167010-2012927407861361991097509903-1512953772-241577810-1040657476"1⤵PID:3020
-
C:\Windows\system32\taskeng.exetaskeng.exe {87F618EC-CBF5-45E2-9363-CC277DFA6C99} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵PID:3044
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5c37a981bc24c4aba6454da4eecb7acbe
SHA12bffdf27d0d4f7c810e323c1671a87ed2d6b644f
SHA256d6fc121d54e4cdf3a1b6b0505c4f691f16d91fdd421bf96c04388b1c6f19e361
SHA5122f44b5218b323bc2bad3ee37426b5bbcbb089b1a561e5f2f48fd455fed0a395b50a6cbb3783bf06e25b144b3f77078629ab1d86fb2c8df1a532230c81a3b2ab8
-
Filesize
2.8MB
MD50dad190f420a0a09ed8c262ca18b1097
SHA1b97535bf2960278b19bda8cad9e885b8eefbdc85
SHA25629e1e95110c03e84720e213a2bb0dcdff95af85a8a894d71518e06c62131e64a
SHA5128ae92676fc5539899414f0a70cba1ed01685b30af9002c68114720d6a7213e4e9c2368e17717c4e3e02650781a022001e4a2e43f83afbd709e7f1ab81003b646
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
87KB
MD565ca33d1c759d3d8eb1d015d26479271
SHA12b0992769c879e7e22f9e3a18f3d1fb15e0870aa
SHA25669bdb80ed6cbffe24e06d5bccea27aa1f6fbca4540e2bc191c85f7a2e91400ea
SHA512d18f975b4e1d387f88ef1e490ac6456ff19c8138bcde522ccf3302fe6d2199ccfc99ab894ad968af8c76ca412caf9d2b069f6444960c26a057cddb44449be2e9
-
Filesize
4.3MB
MD5ea9d4cdd2c3a08334a9bfca3cc42c9d3
SHA1967238207fb0da446d69fb49c100bea5bb11c618
SHA25609febedf5fe3b7498edd06359882ccb3b05d55a4e56cb6133960fe1723838845
SHA512d415b953eaaa3b2a78405489fc025c59afd24117d8af7943fd0fb0903dcb460f200f6ff95a08d1224cf622f6f66105eae6336ef9bc263a6af312a4f1e781216d
-
Filesize
4.2MB
MD56a94a20c20e2a75fa16041e1175793e7
SHA140d8df3d0bdfef2eaccb7b14d62f78c9eff5c989
SHA256102d2c6aa1e5b2a0d91df5f7dcdf0c8a0393595578ecb714669ef85e1319104d
SHA51224250549fc70ffcbccb64eb5a1634005084bdfdccaeff892b6460ef10837d622bcbc817983c922516324b868c935f7d6277b8d919f2abeaf41b4156f948997c1
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
1.7MB
MD56c1d0dabe1ec5e928f27b3223f25c26b
SHA1e25ab704a6e9b3e4c30a6c1f7043598a13856ad9
SHA25692228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d
SHA5123a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9
-
Filesize
1.8MB
MD51d13d83ba0b9e54307060da3ad2c16bf
SHA145fe957170c36b1704c25ff65d59dd8bbe6894cd
SHA256cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0
SHA512803e1b9587fc7aab36c96d52fe901fa6dbe0523aa46da23afb0bd50f7ebcbe5bfd9793ac61cbdd4d228159786d240d5161ff80a5e445eaa00fc77cdf455eb526
-
Filesize
1.7MB
MD5228bc900c337f34da99576e917296e62
SHA10f6393c99373b170166bf3e563d3380914d8afe3
SHA2569b4a6a847a0e8ea430a26136519ab7bf301f6b6c3a162d8443300d5e6f50cb86
SHA5127c5a8bd94c9cca5267aafd0284573843e77d8cb9294131396a6b434af8d8e489ca33374d718fc45edb7e412c0f8d6832f8a936374a4f6612f2e9395377cd4382
-
Filesize
950KB
MD5a0b7a28c8ae27509d5fdfe9e6582705c
SHA13bcf1aa52032034e3a4968fd2633cabd3b2c2e08
SHA256696495731d4eb0f28bc4678f8ea8c20a9c1caf16a460405fea538893a792fd05
SHA512f197738e61660e4497bd1cc3f3c1b70ebfc403948208cb570b292d3fba78d0ca27487b4784f6680bf219678e861d5b489bc2858f5d99f349c65b6e568dc3c63f
-
Filesize
2.6MB
MD51e79d4fce2c654ed8d56747616ec0746
SHA173d8717f19ac08c494ef7a533dbdec599c9a644d
SHA25629425b85ecbb9a2009dfe1f482d1a29d65d991eec1f69f7386c782bbc54980d0
SHA512bc44178b2ae8f8d185f800bd05247080bbd9b7f4c7da587f0c9d2e205358d47e57cb5b4fc03b08f17115bf89fa33cbff5d137f8b82230d4d694f16016cec4ce5
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
1KB
MD562cad385e3722737b664d1a6ec04e477
SHA187391a4a6848a1cb74c896121cd2e8df3b6da694
SHA2568167700fa312e96772e7fc9693b7f025ac4a9b852b144e6f4aac45fcccc68ae1
SHA5121aeb7e3a25555297bbd13e0caf25ed65aa7302c9b0f6831e34ddcb0c2f559be8985086f058fd4f2d926883ce60dbb3863932e42cba81bf1f08d03fd62eab9f64
-
Filesize
2.9MB
MD5f45da90410f7d099ab3bd1589a039a79
SHA1a7effa8c1fc9b88eea3498ed50011d7a14a7e617
SHA2564fb84272045fc39952401061f10a2ba439d2f2a7c6e30f2448b757caf731df19
SHA512577ae3d2c9f46c57ba71a9437fdf47deac865605b31f0a0a2a2caef90a4346bfa12c0894fe9c3a8dc7a602516bde33d58d483a8c5547452397f15a824c07a864